<!DOCTYPE html>












  


<html class="theme-next pisces use-motion" lang="zh-CN">
<head><meta name="generator" content="Hexo 3.9.0">
  <meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">






















<link rel="stylesheet" href="/lib/font-awesome/css/font-awesome.min.css?v=4.7.0">

<link rel="stylesheet" href="/css/main.css?v=7.1.2">


  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png?v=7.1.2">


  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png?v=7.1.2">


  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png?v=7.1.2">


  <link rel="mask-icon" href="/images/logo.svg?v=7.1.2" color="#222">







<script id="hexo.configurations">
  var NexT = window.NexT || {};
  var CONFIG = {
    root: '/',
    scheme: 'Pisces',
    version: '7.1.2',
    sidebar: {"position":"left","display":"post","offset":12,"onmobile":false,"dimmer":false},
    back2top: true,
    back2top_sidebar: false,
    fancybox: false,
    fastclick: false,
    lazyload: false,
    tabs: true,
    motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
    algolia: {
      applicationID: '',
      apiKey: '',
      indexName: '',
      hits: {"per_page":10},
      labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
    }
  };
</script>


  




  <meta name="description" content="防火墙 在REHL7系统中，firewalld防火墙取代了iptables防火墙 iptables与firewalld都不是真正的防火墙，它们都只是用来定义防火墙策略的防火墙管理工具或一种服务 iptabeles服务会把配置好的防火墙策略交由内核层面的netfilter网络过滤器处理 firewalld服务则是把配置好的防火墙策略交由内核层面的nftables包过滤框架来处理">
<meta name="keywords" content="Firewall,Iptables">
<meta property="og:type" content="article">
<meta property="og:title" content="防火墙之Iptables与Firewalld">
<meta property="og:url" content="https://lzz001.gitee.io/2019/09/01/防火墙之Iptables与Firewalld/index.html">
<meta property="og:site_name" content="小智的博客">
<meta property="og:description" content="防火墙 在REHL7系统中，firewalld防火墙取代了iptables防火墙 iptables与firewalld都不是真正的防火墙，它们都只是用来定义防火墙策略的防火墙管理工具或一种服务 iptabeles服务会把配置好的防火墙策略交由内核层面的netfilter网络过滤器处理 firewalld服务则是把配置好的防火墙策略交由内核层面的nftables包过滤框架来处理">
<meta property="og:locale" content="zh-CN">
<meta property="og:updated_time" content="2019-08-31T16:25:45.877Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="防火墙之Iptables与Firewalld">
<meta name="twitter:description" content="防火墙 在REHL7系统中，firewalld防火墙取代了iptables防火墙 iptables与firewalld都不是真正的防火墙，它们都只是用来定义防火墙策略的防火墙管理工具或一种服务 iptabeles服务会把配置好的防火墙策略交由内核层面的netfilter网络过滤器处理 firewalld服务则是把配置好的防火墙策略交由内核层面的nftables包过滤框架来处理">





  
  
  <link rel="canonical" href="https://lzz001.gitee.io/2019/09/01/防火墙之Iptables与Firewalld/">



<script id="page.configurations">
  CONFIG.page = {
    sidebar: "",
  };
</script>

  <title>防火墙之Iptables与Firewalld | 小智的博客</title>
  






  <script>
    var _hmt = _hmt || [];
    (function() {
      var hm = document.createElement("script");
      hm.src = "https://hm.baidu.com/hm.js?297412c3c8589eb0dc190e2d81f12097";
      var s = document.getElementsByTagName("script")[0];
      s.parentNode.insertBefore(hm, s);
    })();
  </script>







  <noscript>
  <style>
  .use-motion .motion-element,
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-title { opacity: initial; }

  .use-motion .logo,
  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

</head>

<body itemscope itemtype="http://schema.org/WebPage" lang="zh-CN">

  
  
    
  

  <div class="container sidebar-position-left page-post-detail">
    <div class="headband"></div>
	<a href="https://github.com/zengzhiLai" target="_blank" class="github-corner" aria-label="View source on GitHub">
		<svg width="100" height="100" viewbox="0 0 250 250" style="fill:#151513; color:#fff; position: absolute; top: 0; border: 0; right: 0;" aria-hidden="true">
			<path d="M0,0 L115,115 L130,115 L142,142 L250,250 L250,0 Z"/>
			<path d="M128.3,109.0 C113.8,99.7 119.0,89.6 119.0,89.6 C122.0,82.7 120.5,78.6 120.5,78.6 C119.2,72.0 123.4,76.3 123.4,76.3 C127.3,80.9 125.5,87.3 125.5,87.3 C122.9,97.6 130.6,101.9 134.4,103.2" fill="currentColor" style="transform-origin: 130px 106px;" class="octo-arm"/><path d="M115.0,115.0 C114.9,115.1 118.7,116.5 119.8,115.4 L133.7,101.6 C136.9,99.2 139.9,98.4 142.2,98.6 C133.8,88.0 127.5,74.4 143.8,58.0 C148.5,53.4 154.0,51.2 159.7,51.0 C160.3,49.4 163.2,43.6 171.4,40.1 C171.4,40.1 176.1,42.5 178.8,56.2 C183.1,58.6 187.2,61.8 190.9,65.4 C194.5,69.0 197.7,73.2 200.1,77.6 C213.8,80.2 216.3,84.9 216.3,84.9 C212.7,93.1 206.9,96.0 205.4,96.6 C205.1,102.4 203.0,107.8 198.3,112.5 C181.9,128.9 168.3,122.5 157.7,114.1 C157.9,116.9 156.7,120.9 152.7,124.9 L141.0,136.5 C139.8,137.7 141.6,141.9 141.8,141.8 Z" fill="currentColor" class="octo-body"/>
		</svg>
	</a>
	<style>.github-corner:hover .octo-arm{animation:octocat-wave 560ms ease-in-out}@keyframes octocat-wave{0%,100%{transform:rotate(0)}20%,60%{transform:rotate(-25deg)}40%,80%{transform:rotate(10deg)}}@media (max-width:500px){.github-corner:hover .octo-arm{animation:none}.github-corner .octo-arm{animation:octocat-wave 560ms ease-in-out}}</style>
	
    <header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-wrapper">
  <div class="site-meta">
    

    <div class="custom-logo-site-title">
      <a href="/" class="brand" rel="start">
        <span class="logo-line-before"><i></i></span>
        <span class="site-title">小智的博客</span>
        <span class="logo-line-after"><i></i></span>
      </a>
    </div>
    
      
        <p class="site-subtitle">慢即是快</p>
      
    
    
  </div>

  <div class="site-nav-toggle">
    <button aria-label="切换导航栏">
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
    </button>
  </div>
</div>



<nav class="site-nav">
  
    <ul id="menu" class="menu">
      
        
        
        
          
          <li class="menu-item menu-item-home">

    
    
      
    

    

    <a href="/" rel="section"><i class="menu-item-icon fa fa-fw fa-home"></i> <br>首页</a>

  </li>
        
        
        
          
          <li class="menu-item menu-item-about">

    
    
      
    

    

    <a href="/about/" rel="section"><i class="menu-item-icon fa fa-fw fa-user"></i> <br>关于</a>

  </li>
        
        
        
          
          <li class="menu-item menu-item-tags">

    
    
      
    

    

    <a href="/tags/" rel="section"><i class="menu-item-icon fa fa-fw fa-tags"></i> <br>标签</a>

  </li>
        
        
        
          
          <li class="menu-item menu-item-categories">

    
    
      
    

    

    <a href="/categories/" rel="section"><i class="menu-item-icon fa fa-fw fa-th"></i> <br>分类</a>

  </li>
        
        
        
          
          <li class="menu-item menu-item-archives">

    
    
      
    

    

    <a href="/archives/" rel="section"><i class="menu-item-icon fa fa-fw fa-archive"></i> <br>归档</a>

  </li>
        
        
        
          
          <li class="menu-item menu-item-commonweal">

    
    
      
    

    

    <a href="/404/" rel="section"><i class="menu-item-icon fa fa-fw fa-heartbeat"></i> <br>公益 404</a>

  </li>

      
      
    </ul>
  

  

  
</nav>



  



</div>
    </header>

    


    <main id="main" class="main">
      <div class="main-inner">
        <div class="content-wrap">
          
            

          
          <div id="content" class="content">
            

  <div id="posts" class="posts-expand">
    

  

  
  
  

  

  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
  
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="https://lzz001.gitee.io/2019/09/01/防火墙之Iptables与Firewalld/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="name" content="小智">
      <meta itemprop="description" content="Java,Linux,Mysql">
      <meta itemprop="image" content="/images/zhi.jpg">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="小智的博客">
    </span>

    
      <header class="post-header">

        
        
          <h1 class="post-title" itemprop="name headline">防火墙之Iptables与Firewalld

              
            
          </h1>
        

        <div class="post-meta">

          
          
          

          
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">发表于</span>
              

              
                
              

              <time title="创建时间：2019-09-01 00:21:56 / 修改时间：00:25:45" itemprop="dateCreated datePublished" datetime="2019-09-01T00:21:56+08:00">2019-09-01</time>
            </span>
          

          
            

            
          

          
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="fa fa-folder-o"></i>
              </span>
              
                <span class="post-meta-item-text">分类于</span>
              
              
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing"><a href="/categories/Linux/" itemprop="url" rel="index"><span itemprop="name">Linux</span></a></span>

                
                
              
            </span>
          

          
            
            
          

          
          

          
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="fa fa-eye"></i>
                 阅读次数： 
                <span class="busuanzi-value" id="busuanzi_value_page_pv"></span>
              </span>
            </span>
          

          <br>
          

          

          

        </div>
      </header>
    

    
    
    
    <div class="post-body" itemprop="articleBody">

      
      

      
        <h1 id="防火墙"><a href="#防火墙" class="headerlink" title="防火墙"></a>防火墙</h1><ul>
<li>在REHL7系统中，firewalld防火墙取代了iptables防火墙</li>
<li>iptables与firewalld都不是真正的防火墙，它们都只是用来定义防火墙策略的防火墙管理工具或一种服务</li>
<li>iptabeles服务会把配置好的防火墙策略交由内核层面的netfilter网络过滤器处理</li>
<li>firewalld服务则是把配置好的防火墙策略交由内核层面的nftables包过滤框架来处理</li>
</ul>
<a id="more"></a>
<h2 id="Iptables"><a href="#Iptables" class="headerlink" title="Iptables"></a>Iptables</h2><h3 id="策略与规则链"><a href="#策略与规则链" class="headerlink" title="策略与规则链"></a>策略与规则链</h3><ul>
<li>防火墙会从上至下的顺序来读取配置的策略规则，在找到匹配项后就立即结束匹配工作并去执行匹配项中定义的行为（即放行或阻止）</li>
<li>如果在读取完所有的策略规则之后没有匹配项，就去执行默认的策略</li>
<li>一般而言，防火墙策略规则的设置有两种：一种是“通”（即放行），一种是“堵”（即阻止）</li>
<li>当防火墙的默认策略为拒绝时（堵），就要设置允许规则（通），否则谁都进不来；如果防火墙的默认策略为允许时，就要设置拒绝规则，否则谁都能进来，防火墙也就失去了防范的作用</li>
</ul>
<p>iptables服务把用于处理或过滤流量的策略条目称之为规则，多条规则可以组成一个规则链，而规则链则依据数据包处理位置的不同进行分类，具体如下：</p>
<blockquote>
<p>在进行路由选择前处理数据包（PREROUTING）</p>
<p>处理流入的数据包（INPUT）</p>
<p>处理流出的数据包（OUTPUT）</p>
<p>处理转发的数据包（FORWARD）</p>
<p>在进行路由选择后处理数据包（POSTROUTING）</p>
</blockquote>
<h3 id="iptables常用参数及作用"><a href="#iptables常用参数及作用" class="headerlink" title="iptables常用参数及作用"></a>iptables常用参数及作用</h3><table>
<thead>
<tr>
<th>参数</th>
<th>作用</th>
</tr>
</thead>
<tbody><tr>
<td>-P</td>
<td>设置默认策略</td>
</tr>
<tr>
<td>-F</td>
<td>清空规则链</td>
</tr>
<tr>
<td>-L</td>
<td>查看规则链</td>
</tr>
<tr>
<td>-A</td>
<td>在规则链的末尾添加新的规则</td>
</tr>
<tr>
<td>-I num</td>
<td>在规则链的头部加入新规则</td>
</tr>
<tr>
<td>-D num</td>
<td>删除某一条规则</td>
</tr>
<tr>
<td>-s</td>
<td>匹配来源于地址IP/MASK，加叹号 “!” 表示除此IP</td>
</tr>
<tr>
<td>-d</td>
<td>匹配目标地址</td>
</tr>
<tr>
<td>-i 网卡名称</td>
<td>匹配从这块网卡流入的数据</td>
</tr>
<tr>
<td>-o 网卡名称</td>
<td>匹配从这块网卡流出的数据</td>
</tr>
<tr>
<td>-p</td>
<td>匹配协议，如TCP、UDP、ICMP</td>
</tr>
<tr>
<td>–dport num</td>
<td>匹配目标端口号</td>
</tr>
<tr>
<td>–sport num</td>
<td>匹配来源端口号</td>
</tr>
</tbody></table>
<h3 id="iptables实验"><a href="#iptables实验" class="headerlink" title="iptables实验"></a>iptables实验</h3><ol>
<li><p><strong>查看已有的防火墙规则链</strong></p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span> iptables -L</span><br><span class="line">Chain INPUT (policy ACCEPT)</span><br><span class="line">target     prot opt source               destination         </span><br><span class="line">ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED</span><br><span class="line">ACCEPT     all  --  anywhere             anywhere            </span><br><span class="line">INPUT_direct  all  --  anywhere             anywhere            </span><br><span class="line">INPUT_ZONES_SOURCE  all  --  anywhere             anywhere            </span><br><span class="line">INPUT_ZONES  all  --  anywhere             anywhere            </span><br><span class="line">ACCEPT     icmp --  anywhere             anywhere            </span><br><span class="line">REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited</span><br><span class="line">......</span><br></pre></td></tr></table></figure>
</li>
<li><p><strong>清空已有的防火墙规则链</strong></p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span> iptables -F</span><br><span class="line"><span class="meta">#</span> iptables -L</span><br><span class="line">Chain INPUT (policy ACCEPT)</span><br><span class="line">target     prot opt source               destination    </span><br><span class="line">......</span><br></pre></td></tr></table></figure>
</li>
<li><p><strong>把INPUT规则链的默认策略设置为拒绝（DROP）</strong></p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span> iptables -P INPUT DROP</span><br><span class="line"><span class="meta">#</span> iptables -L</span><br><span class="line">Chain INPUT (policy DROP)</span><br><span class="line">target     prot opt source               destination         </span><br><span class="line">......</span><br></pre></td></tr></table></figure>

<p>设置为允许</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span> iptables -P INPUT ACCEPT</span><br><span class="line"><span class="meta">#</span> iptables -L</span><br><span class="line">Chain INPUT (policy ACCEPT)</span><br><span class="line">target     prot opt source               destination         </span><br><span class="line">......</span><br></pre></td></tr></table></figure>
</li>
<li><p><strong>向INPUT链中添加允许ICMP流量进入的策略规则</strong></p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span> iptables -I INPUT -p icmp -j ACCEPT</span><br><span class="line"><span class="meta">#</span> ping -c 4 192.168.40.131</span><br><span class="line">PING 192.168.40.131 (192.168.40.131) 56(84) bytes of data.</span><br><span class="line">64 bytes from 192.168.40.131: icmp_seq=1 ttl=64 time=0.219 ms</span><br><span class="line">64 bytes from 192.168.40.131: icmp_seq=2 ttl=64 time=0.047 ms</span><br><span class="line">64 bytes from 192.168.40.131: icmp_seq=3 ttl=64 time=0.043 ms</span><br><span class="line">64 bytes from 192.168.40.131: icmp_seq=4 ttl=64 time=0.105 ms</span><br><span class="line"></span><br><span class="line">--- 192.168.40.131 ping statistics ---</span><br><span class="line">4 packets transmitted, 4 received, 0% packet loss, time 3003ms</span><br><span class="line">rtt min/avg/max/mdev = 0.043/0.103/0.219/0.071 ms</span><br></pre></td></tr></table></figure>
</li>
<li><p><strong>将INPUT规则链设置为只允许指定网段的主机访问本机的22端口，拒绝来自其他所有主机的流量</strong></p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span> iptables -I INPUT -s 192.168.40.0/24 -p tcp --dport 22 -j ACCEPT</span><br><span class="line"><span class="meta">#</span> iptables -A INPUT -p tcp --dport 22 -j REJECT</span><br><span class="line"><span class="meta">#</span> iptables -L</span><br><span class="line">Chain INPUT (policy ACCEPT)</span><br><span class="line">target     prot opt source               destination         </span><br><span class="line">ACCEPT     tcp  --  192.168.40.0/24      anywhere             tcp dpt:ssh</span><br><span class="line">ACCEPT     icmp --  anywhere             anywhere            </span><br><span class="line">REJECT     tcp  --  anywhere             anywhere             tcp dpt:ssh reject-with icmp-port-unreachable</span><br><span class="line">......</span><br></pre></td></tr></table></figure>

<p>测试：用192.168.40.0/24网段的IP地址访问服务器的22端口（ssh服务）</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span> ssh 192.168.40.131</span><br><span class="line">The authenticity of host '192.168.40.131 (192.168.40.131)' can't be established.</span><br><span class="line">ECDSA key fingerprint is 1f:b2:22:cb:dd:25:d5:4b:ff:99:77:6a:27:16:76:2d.</span><br><span class="line">Are you sure you want to continue connecting (yes/no)? yes</span><br><span class="line">Warning: Permanently added '192.168.40.131' (ECDSA) to the list of known hosts.</span><br><span class="line">root@192.168.40.131's password: </span><br><span class="line">Last login: Fri Aug 30 02:08:17 2019</span><br></pre></td></tr></table></figure>
</li>
<li><p><strong>向INPUT规则链中添加拒绝所有人访问本机12345端口的策略规则</strong></p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span> iptables -I INPUT -p tcp --dport 12345 -j REJECT</span><br><span class="line"><span class="meta">#</span> iptables -I INPUT -p udp --dport 12345 -j REJECT</span><br><span class="line"><span class="meta">#</span> iptables -L</span><br><span class="line">Chain INPUT (policy ACCEPT)</span><br><span class="line">target     prot opt source               destination         </span><br><span class="line">REJECT     udp  --  anywhere             anywhere             udp dpt:italk reject-with icmp-port-unreachable</span><br><span class="line">REJECT     tcp  --  anywhere             anywhere             tcp dpt:italk reject-with icmp-port-unreachable</span><br><span class="line">ACCEPT     tcp  --  192.168.40.0/24      anywhere             tcp dpt:ssh</span><br><span class="line">ACCEPT     icmp --  anywhere             anywhere            </span><br><span class="line">REJECT     tcp  --  anywhere             anywhere             tcp dpt:ssh reject-with icmp-port-unreachable</span><br><span class="line">......</span><br></pre></td></tr></table></figure>
</li>
<li><p><strong>向INPUT规则链中添加拒绝192.168.10.5主机访问本机80端口（Web服务）的策略规则</strong></p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span> iptables -I INPUT -p tcp -s 192.168.40.5 --dport 80 -j REJECT</span><br><span class="line"><span class="meta">#</span> iptables -L</span><br><span class="line">Chain INPUT (policy ACCEPT)</span><br><span class="line">target     prot opt source               destination         </span><br><span class="line">REJECT     tcp  --  192.168.40.5         anywhere             tcp dpt:http reject-with icmp-port-unreachable</span><br><span class="line">REJECT     udp  --  anywhere             anywhere             udp dpt:italk reject-with icmp-port-unreachable</span><br><span class="line">REJECT     tcp  --  anywhere             anywhere             tcp dpt:italk reject-with icmp-port-unreachable</span><br><span class="line">ACCEPT     tcp  --  192.168.40.0/24      anywhere             tcp dpt:ssh</span><br><span class="line">ACCEPT     icmp --  anywhere             anywhere            </span><br><span class="line">REJECT     tcp  --  anywhere             anywhere             tcp dpt:ssh reject-with icmp-port-unreachable</span><br><span class="line">......</span><br></pre></td></tr></table></figure>
</li>
<li><p><strong>向INPUT规则链中添加拒绝所有主机访问本机1000～1024端口的策略规则</strong></p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span> iptables -A INPUT -p tcp --dport 1000:1024 -j REJECT</span><br><span class="line"><span class="meta">#</span> iptables -A INPUT -p udp --dport 1000:1024 -j REJECT</span><br><span class="line"><span class="meta">#</span> iptables -L</span><br><span class="line">Chain INPUT (policy ACCEPT)</span><br><span class="line">target     prot opt source               destination         </span><br><span class="line">REJECT     tcp  --  192.168.40.5         anywhere             tcp dpt:http reject-with icmp-port-unreachable</span><br><span class="line">REJECT     udp  --  anywhere             anywhere             udp dpt:italk reject-with icmp-port-unreachable</span><br><span class="line">REJECT     tcp  --  anywhere             anywhere             tcp dpt:italk reject-with icmp-port-unreachable</span><br><span class="line">ACCEPT     tcp  --  192.168.40.0/24      anywhere             tcp dpt:ssh</span><br><span class="line">ACCEPT     icmp --  anywhere             anywhere            </span><br><span class="line">REJECT     tcp  --  anywhere             anywhere             tcp dpt:ssh reject-with icmp-port-unreachable</span><br><span class="line">REJECT     tcp  --  anywhere             anywhere             tcp dpts:cadlock2:1024 reject-with icmp-port-unreachable</span><br><span class="line">REJECT     udp  --  anywhere             anywhere             udp dpts:cadlock2:1024 reject-with icmp-port-unreachable</span><br><span class="line">......</span><br></pre></td></tr></table></figure>
</li>
<li><p><strong>执行保存命令，让配置的防火墙策略永久生效，否则系统重启后失效</strong></p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span> service iptables save</span><br><span class="line">iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]</span><br></pre></td></tr></table></figure>

</li>
</ol>
<h2 id="Firewalld"><a href="#Firewalld" class="headerlink" title="Firewalld"></a>Firewalld</h2><ul>
<li>firewalld（Dynamic Firewall Manager of Linux systems，Linux系统的动态防火墙管理器）</li>
<li>firewalld服务是默认的防火墙配置管理工具，它拥有基于CLI（命令行界面）和基于GUI（图形用户界面）的两种管理方式</li>
<li>相较于传统的防火墙管理配置工具，firewalld支持动态更新技术并加入了区域（zone）的概念</li>
<li>区域就是firewalld预先准备了几套防火墙策略集合（策略模板），用户可以根据生产场景的不同而选择合适的策略集合，从而实现防火墙策略之间的快速切换</li>
</ul>
<h3 id="firewalld常用区域名称及策略规则"><a href="#firewalld常用区域名称及策略规则" class="headerlink" title="firewalld常用区域名称及策略规则"></a>firewalld常用区域名称及策略规则</h3><table>
<thead>
<tr>
<th>区域</th>
<th>默认规则策略</th>
</tr>
</thead>
<tbody><tr>
<td>trusted</td>
<td>允许所有的数据包</td>
</tr>
<tr>
<td>home</td>
<td>拒绝流入的流量，除非与流出的流量相关；而如果流量与ssh、mdns、ipp-client、amba-client与dhcpv6-client服务相关，则允许流量</td>
</tr>
<tr>
<td>internal</td>
<td>等同于home区域</td>
</tr>
<tr>
<td>work</td>
<td>拒绝流入的流量，除非与流出的流量相关；而如果流量与ssh、ipp-client与dhcpv6-client服务相关，则允许流量</td>
</tr>
<tr>
<td>public</td>
<td>拒绝流入的流量，除非与流出的流量相关；而如果流量与ssh、dhcpv6-client服务相关，则允许流量</td>
</tr>
<tr>
<td>external</td>
<td>拒绝流入的流量，除非与流出的流量相关；而如果流量与ssh服务相关，则允许流量</td>
</tr>
<tr>
<td>dmz</td>
<td>拒绝流入的流量，除非与流出的流量相关；而如果流量与ssh服务相关，则允许流量</td>
</tr>
<tr>
<td>block</td>
<td>拒绝流入的流量，除非与流出的流量相关</td>
</tr>
<tr>
<td>drop</td>
<td>拒绝流入的流量，除非与流出的流量相关</td>
</tr>
</tbody></table>
<h3 id="终端管理工具——firewall-cmd"><a href="#终端管理工具——firewall-cmd" class="headerlink" title="终端管理工具——firewall-cmd"></a>终端管理工具——firewall-cmd</h3><ul>
<li>firewall-cmd是firewalld防火墙配置管理工具的CLI（命令行界面）版本</li>
<li>可以用Tab键来补齐firewall-cmd命令中的长格式参数</li>
</ul>
<h3 id="firewall-cmd命令中使用的参数以及作用"><a href="#firewall-cmd命令中使用的参数以及作用" class="headerlink" title="firewall-cmd命令中使用的参数以及作用"></a>firewall-cmd命令中使用的参数以及作用</h3><table>
<thead>
<tr>
<th>参数</th>
<th>作用</th>
</tr>
</thead>
<tbody><tr>
<td>–get-default-zone</td>
<td>查询默认的区域名称</td>
</tr>
<tr>
<td>–set-default-zone=&lt;区域名称&gt;</td>
<td>设置默认的区域，使其永久生效</td>
</tr>
<tr>
<td>–get-zones</td>
<td>显示可用的区域</td>
</tr>
<tr>
<td>–get-services</td>
<td>显示预先定义的服务</td>
</tr>
<tr>
<td>–get-active-zones</td>
<td>显示当前正在使用的区域与网卡名称</td>
</tr>
<tr>
<td>–add-source=</td>
<td>将源自此IP或子网的流量导向指定的区域</td>
</tr>
<tr>
<td>–remove-source=</td>
<td>不再将源自此IP或子网的流量导向某个指定区域</td>
</tr>
<tr>
<td>–add-interface=&lt;网卡名称&gt;</td>
<td>将源自该网卡的所有流量都导向某个指定区域</td>
</tr>
<tr>
<td>–change-interface=&lt;网卡名称&gt;</td>
<td>将某个网卡与区域进行关联</td>
</tr>
<tr>
<td>–list-all</td>
<td>显示当前区域的网卡配置参数、资源、端口以及服务等信息</td>
</tr>
<tr>
<td>–list-all-zones</td>
<td>显示所有区域的网卡配置参数、资源、端口以及服务等信息</td>
</tr>
<tr>
<td>–add-service=&lt;服务名&gt;</td>
<td>设置默认区域允许该服务的流量</td>
</tr>
<tr>
<td>–add-port=&lt;端口号/协议&gt;</td>
<td>设置默认区域允许该端口的流量</td>
</tr>
<tr>
<td>–remove-service=&lt;服务名&gt;</td>
<td>设置默认区域不再允许该服务的流量</td>
</tr>
<tr>
<td>–remove-port=&lt;端口号/协议&gt;</td>
<td>设置默认区域不再允许该端口的流量</td>
</tr>
<tr>
<td>–reload</td>
<td>让“永久生效”的配置规则立即生效，并覆盖当前的配置规则</td>
</tr>
<tr>
<td>–panic-on</td>
<td>开启应急状况模式</td>
</tr>
<tr>
<td>–panic-off</td>
<td>关闭应急状况模式</td>
</tr>
<tr>
<td>–permanent</td>
<td>永久模式（当前不生效，系统重启或reload后才自动生效）</td>
</tr>
</tbody></table>
<h3 id="firewalld实验"><a href="#firewalld实验" class="headerlink" title="firewalld实验"></a>firewalld实验</h3><ol>
<li><p><strong>查看firewalld服务当前所使用的区域</strong></p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span> firewall-cmd --get-default-zone</span><br><span class="line">public</span><br></pre></td></tr></table></figure>
</li>
<li><p><strong>查询网卡eno16777728在firewalld服务中的区域</strong></p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span> firewall-cmd --get-zone-of-interface=eno16777728</span><br><span class="line">public</span><br></pre></td></tr></table></figure>
</li>
<li><p><strong>将firewalld服务中网卡eno16777728的默认区域修改为external（系统重启后才生效）。分别查看当前与永久模式下的区域名称</strong></p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span> firewall-cmd --permanent --zone=external --change-interface=eno16777728</span><br><span class="line">success</span><br><span class="line"><span class="meta">#</span> firewall-cmd --get-zone-of-interface=eno16777728</span><br><span class="line">public</span><br><span class="line"><span class="meta">#</span> firewall-cmd --permanent --get-zone-of-interface=eno16777728</span><br><span class="line">external</span><br></pre></td></tr></table></figure>
</li>
<li><p><strong>将firewalld服务的当前默认区域设置为public</strong></p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span> firewall-cmd --set-default-zone=public</span><br><span class="line">Warning: ZONE_ALREADY_SET: public</span><br><span class="line"><span class="meta">#</span> firewall-cmd --get-default-zone</span><br><span class="line">public</span><br></pre></td></tr></table></figure>
</li>
<li><p><strong>启动/关闭firewalld防火墙服务的应急状况模式，阻断一切网络连接（<font color="red">远程控制服务器时 慎用！</font>）</strong></p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span> firewall-cmd --panic-on</span><br><span class="line">success</span><br><span class="line"><span class="meta">#</span> firewall-cmd --panic-off</span><br><span class="line">success</span><br></pre></td></tr></table></figure>
</li>
<li><p><strong>查询public区域是否允许请求SSH和HTTPS协议的流量</strong></p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span> firewall-cmd --zone=public --query-service=ssh</span><br><span class="line">yes</span><br><span class="line"><span class="meta">#</span> firewall-cmd --zone=public --query-service=https</span><br><span class="line">no</span><br></pre></td></tr></table></figure>
</li>
<li><p><strong>将firewalld服务中请求HTTPS协议的流量设置为永久允许，并立即生效</strong></p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span> firewall-cmd --zone=public --add-service=https</span><br><span class="line">success</span><br><span class="line"><span class="meta">#</span> firewall-cmd --permanent --zone=public --add-service=https</span><br><span class="line">success</span><br><span class="line"><span class="meta">#</span> firewall-cmd --reload</span><br><span class="line">success</span><br></pre></td></tr></table></figure>
</li>
<li><p><strong>将firewalld服务中请求HTTP协议的流量设置为永久拒绝，并立即生效</strong></p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span> firewall-cmd --permanent --zone=public --remove-service=http</span><br><span class="line">success</span><br><span class="line"><span class="meta">#</span> firewall-cmd --reload</span><br><span class="line">success</span><br></pre></td></tr></table></figure>
</li>
<li><p><strong>将在firewalld服务中访问8080和8081端口的流量策略设置为允许，但仅限当前生效</strong></p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span> firewall-cmd --zone=public --add-port=8080-8081/tcp</span><br><span class="line">success</span><br><span class="line"><span class="meta">#</span> firewall-cmd --zone=public --list-ports</span><br><span class="line">69/udp 8080-8081/tcp</span><br></pre></td></tr></table></figure>

<p>69/udp是TFTP的端口号</p>
</li>
<li><p><strong>将原本访问本机888端口的流量转发到22端口，且要求当前和长期有效</strong></p>
<blockquote>
<p>流量转发命名格式：<code>firewall-cmd --permanent --zone=&lt;区域&gt; --add-forward-port=port=&lt;源端口号&gt;:proto=&lt;协议&gt;:toport=&lt;目标端口号&gt;:toaddr=&lt;目标IP地址&gt;</code></p>
</blockquote>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span> firewall-cmd --permanent --zone=public --add-forward-port=port=888:proto=tcp:toport=22:toaddr=192.168.40.131</span><br><span class="line">success</span><br><span class="line"><span class="meta">#</span> firewall-cmd --reload</span><br><span class="line">success</span><br></pre></td></tr></table></figure>

<p>在Windows10中用Xshell 6访问192.168.40.131主机的888端口，成功</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">[C:\~]$ ssh root@192.168.40.131 888</span><br><span class="line"></span><br><span class="line">Connecting to 192.168.40.131:888...</span><br><span class="line">Connection established.</span><br><span class="line">To escape to local shell, press 'Ctrl+Alt+]'.</span><br><span class="line"></span><br><span class="line">Last failed login: Fri Aug 30 20:39:36 CST 2019 from 192.168.40.1 on ssh:notty</span><br><span class="line">There was 1 failed login attempt since the last successful login.</span><br><span class="line">Last login: Fri Aug 30 20:36:01 2019 from 192.168.40.1</span><br><span class="line">[root@localhost ~]#</span><br></pre></td></tr></table></figure>
</li>
<li><p><strong>配置一条富规则，使其拒绝192.168.40.0/24网段的所有用户访问本机的ssh服务（22端口）</strong></p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span> firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.40.0/24" service name="ssh" reject"</span><br><span class="line">success</span><br><span class="line"><span class="meta">#</span> firewall-cmd --reload</span><br><span class="line">success</span><br></pre></td></tr></table></figure>

<p>在Windows10中用Xshell 6访问192.168.40.131主机的ssh服务（ 22端口），失败</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">[C:\~]$ ssh 192.168.40.131</span><br><span class="line"></span><br><span class="line">Connecting to 192.168.40.131:22...</span><br><span class="line">Could not connect to '192.168.40.131' (port 22): Connection failed.</span><br></pre></td></tr></table></figure>

</li>
</ol>
<h2 id="服务的访问控制列表"><a href="#服务的访问控制列表" class="headerlink" title="服务的访问控制列表"></a>服务的访问控制列表</h2><ul>
<li>TCP Wrappers是RHEL7系统中默认启用的一款流量监控程序</li>
<li>它能够根据来访主机的地址与本机的目标服务程序作出允许或拒绝的操作</li>
<li>TCP Wrappers服务的防火墙策略由两个控制列表文件所控制，用户可以编辑<strong>允许控制列表文件</strong>来放行对服务的请求流量，也可以编辑<strong>拒绝控制列表文件</strong>来阻止对服务的请求流量</li>
<li>控制列表文件修改后会立即生效，系统将会先检查允许控制列表文件（/etc/hosts.allow）</li>
<li>如果<strong>匹配到</strong>相应的允许策略规则<strong>放行</strong>流量；如果<strong>没有匹配</strong>，则去进一步匹配拒绝控制列表文件（/etc/hosts.deny），若找到匹配项则拒绝该流量。如果这两个文件<strong>全都没有匹配到</strong>，则默认放行流量</li>
</ul>
<h3 id="TCP-Wrappers服务控制列表文件的常用参数"><a href="#TCP-Wrappers服务控制列表文件的常用参数" class="headerlink" title="TCP Wrappers服务控制列表文件的常用参数"></a>TCP Wrappers服务控制列表文件的常用参数</h3><table>
<thead>
<tr>
<th>客户端类型</th>
<th>示例</th>
<th>满足示例的客户端列表</th>
</tr>
</thead>
<tbody><tr>
<td>单一主机</td>
<td>192.168.40.131</td>
<td>IP地址为192.168.40.131的主机</td>
</tr>
<tr>
<td>指定网段</td>
<td>192.168.40. 或 192.168.40.0/255.255.255.0</td>
<td>IP段为192.168.40.0/24的主机</td>
</tr>
<tr>
<td>指定DNS后缀</td>
<td>.zengzhilai.com</td>
<td>所有DNS后缀为.zengzhilai.com的主机</td>
</tr>
<tr>
<td>指定主机名称</td>
<td><a href="http://www.zengzhilai.com" target="_blank" rel="noopener">www.zengzhilai.com</a></td>
<td>主机名称为<a href="http://www.zengzhi.com的主机" target="_blank" rel="noopener">www.zengzhi.com的主机</a></td>
</tr>
<tr>
<td>指定所有客户端</td>
<td>ALL</td>
<td>所有主机全部包括在内</td>
</tr>
</tbody></table>
<h3 id="配置TCP-Wrappers服务需遵循的两个原则"><a href="#配置TCP-Wrappers服务需遵循的两个原则" class="headerlink" title="配置TCP Wrappers服务需遵循的两个原则"></a>配置TCP Wrappers服务需遵循的两个原则</h3><ul>
<li>编写拒绝策略规则时，填写的是服务名称，而非协议名称</li>
<li>建议先编写拒绝策略规则，测试后再编写允许策略规则，这样可直观地看到相应的效果</li>
</ul>
<ol>
<li><p><strong>编辑拒绝策略规则文件：禁止访问本机sshd服务的所有流量</strong></p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span> vim /etc/hosts.deny</span><br><span class="line">......</span><br><span class="line">sshd:*</span><br><span class="line"><span class="meta">#</span> ssh 192.168.40.131</span><br><span class="line">ssh_exchange_identification: read: Connection reset by peer</span><br></pre></td></tr></table></figure>
</li>
<li><p><strong>编辑允许策略规则文件：放行源自192.168.40.0/24网段访问本机sshd服务的所有流量</strong></p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span> vim /etc/hosts.allow</span><br><span class="line">......</span><br><span class="line">sshd:192.168.40.</span><br><span class="line"><span class="meta">#</span> ssh 192.168.40.131</span><br><span class="line">root@192.168.40.131's password: </span><br><span class="line">Last login: Fri Aug 30 20:39:41 2019 from 192.168.40.1</span><br><span class="line"><span class="meta">#</span></span><br></pre></td></tr></table></figure>

</li>
</ol>

      
    </div>

    

    
    
    

    

    
      
    
    

    

    <footer class="post-footer">
      
        
          
        
        <div class="post-tags">
          
            <a href="/tags/Firewall/" rel="tag"># Firewall</a>
          
            <a href="/tags/Iptables/" rel="tag"># Iptables</a>
          
        </div>
      

      
      
      

      
        <div class="post-nav">
          <div class="post-nav-next post-nav-item">
            
              <a href="/2019/08/24/DNS域名解析服务/" rel="next" title="DNS域名解析服务">
                <i class="fa fa-chevron-left"></i> DNS域名解析服务
              </a>
            
          </div>

          <span class="post-nav-divider"></span>

          <div class="post-nav-prev post-nav-item">
            
              <a href="/2019/09/03/使用MariaDB数据库管理系统/" rel="prev" title="使用MariaDB数据库管理系统">
                使用MariaDB数据库管理系统 <i class="fa fa-chevron-right"></i>
              </a>
            
          </div>
        </div>
      

      
      
    </footer>
  </div>
  
  
  
  </article>


  </div>


          </div>
          

  
    <div class="comments" id="gitalk-container">
    </div>

  



        </div>
        
          
  
  <div class="sidebar-toggle">
    <div class="sidebar-toggle-line-wrap">
      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
    </div>
  </div>

  <aside id="sidebar" class="sidebar">
    <div class="sidebar-inner">

      

      
        <ul class="sidebar-nav motion-element">
          <li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
            文章目录
          </li>
          <li class="sidebar-nav-overview" data-target="site-overview-wrap">
            站点概览
          </li>
        </ul>
      

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-overview">
          <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
            
              <img class="site-author-image" itemprop="image" src="/images/zhi.jpg" alt="小智">
            
              <p class="site-author-name" itemprop="name">小智</p>
              <div class="site-description motion-element" itemprop="description">Java,Linux,Mysql</div>
          </div>

          
            <nav class="site-state motion-element">
              
                <div class="site-state-item site-state-posts">
                
                  <a href="/archives/">
                
                    <span class="site-state-item-count">22</span>
                    <span class="site-state-item-name">日志</span>
                  </a>
                </div>
              

              
                
                
                <div class="site-state-item site-state-categories">
                  
                    
                      <a href="/categories/">
                    
                  
                    
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                    <span class="site-state-item-count">5</span>
                    <span class="site-state-item-name">分类</span>
                  </a>
                </div>
              

              
                
                
                <div class="site-state-item site-state-tags">
                  
                    
                      <a href="/tags/">
                    
                  
                    
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                    <span class="site-state-item-count">37</span>
                    <span class="site-state-item-name">标签</span>
                  </a>
                </div>
              
            </nav>
          

          

          

          

          

          
          

          
            
          
          

        </div>
      </div>

      
      <!--noindex-->
        <div class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
          <div class="post-toc">

            
            
            
            

            
              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#防火墙"><span class="nav-number">1.</span> <span class="nav-text">防火墙</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#Iptables"><span class="nav-number">1.1.</span> <span class="nav-text">Iptables</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#策略与规则链"><span class="nav-number">1.1.1.</span> <span class="nav-text">策略与规则链</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#iptables常用参数及作用"><span class="nav-number">1.1.2.</span> <span class="nav-text">iptables常用参数及作用</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#iptables实验"><span class="nav-number">1.1.3.</span> <span class="nav-text">iptables实验</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Firewalld"><span class="nav-number">1.2.</span> <span class="nav-text">Firewalld</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#firewalld常用区域名称及策略规则"><span class="nav-number">1.2.1.</span> <span class="nav-text">firewalld常用区域名称及策略规则</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#终端管理工具——firewall-cmd"><span class="nav-number">1.2.2.</span> <span class="nav-text">终端管理工具——firewall-cmd</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#firewall-cmd命令中使用的参数以及作用"><span class="nav-number">1.2.3.</span> <span class="nav-text">firewall-cmd命令中使用的参数以及作用</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#firewalld实验"><span class="nav-number">1.2.4.</span> <span class="nav-text">firewalld实验</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#服务的访问控制列表"><span class="nav-number">1.3.</span> <span class="nav-text">服务的访问控制列表</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#TCP-Wrappers服务控制列表文件的常用参数"><span class="nav-number">1.3.1.</span> <span class="nav-text">TCP Wrappers服务控制列表文件的常用参数</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#配置TCP-Wrappers服务需遵循的两个原则"><span class="nav-number">1.3.2.</span> <span class="nav-text">配置TCP Wrappers服务需遵循的两个原则</span></a></li></ol></li></ol></li></ol></div>
            

          </div>
        </div>
      <!--/noindex-->
      

      

    </div>
  </aside>
  


        
      </div>
    </main>

    <footer id="footer" class="footer">
      <div class="footer-inner">
        <div class="copyright">&copy; <span itemprop="copyrightYear">2019</span>
  <span class="with-love" id="animate">
    <i class="fa fa-user"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">小智</span>

  

  
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item-icon">
      <i class="fa fa-coffee"></i>
    </span>
    
      <span class="post-meta-item-text">站点阅读时长 &asymp;</span>
    
    <span title="站点阅读时长">2:07</span>
  
</div>









        
<div class="busuanzi-count">
  <script async src="https://busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>

  
    <span class="post-meta-item-icon">
      <i class="fa fa-user"></i>
    </span>
    <span class="site-uv" title="总访客量">
      <span class="busuanzi-value" id="busuanzi_value_site_uv"></span>
    </span>
  

  
    <span class="post-meta-divider">|</span>
  

  
    <span class="post-meta-item-icon">
      <i class="fa fa-eye"></i>
    </span>
    <span class="site-pv" title="总访问量">
      <span class="busuanzi-value" id="busuanzi_value_site_pv"></span>
    </span>
  
</div>









        
      </div>
    </footer>

    
      <div class="back-to-top">
        <i class="fa fa-arrow-up"></i>
        
      </div>
    

    

    

    
  </div>

  

<script>
  if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
    window.Promise = null;
  }
</script>


























  
  <script src="/lib/jquery/index.js?v=3.4.1"></script>

  
  <script src="/lib/velocity/velocity.min.js?v=1.2.1"></script>

  
  <script src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>


  


  <script src="/js/utils.js?v=7.1.2"></script>

  <script src="/js/motion.js?v=7.1.2"></script>



  
  


  <script src="/js/affix.js?v=7.1.2"></script>

  <script src="/js/schemes/pisces.js?v=7.1.2"></script>



  
  <script src="/js/scrollspy.js?v=7.1.2"></script>
<script src="/js/post-details.js?v=7.1.2"></script>



  


  <script src="/js/next-boot.js?v=7.1.2"></script>


  

  

  

  


  
    

<script src="//cdn.jsdelivr.net/npm/gitalk@1/dist/gitalk.min.js"></script>



<link rel="stylesheet" href="//cdn.jsdelivr.net/npm/gitalk@1/dist/gitalk.min.css">



<script src="//cdn.jsdelivr.net/npm/js-md5@0.7.3/src/md5.min.js"></script>

<script>
  var gitalk = new Gitalk({
    clientID: '4a3937b2ec1408fa593c',
    clientSecret: 'bb11519c1d0aafd8540c58fe182487d24b1a1a6f',
    repo: 'zengzhiLai.github.io',
    owner: 'zengzhiLai',
    admin: ['zengzhiLai'],
    id: md5(location.pathname),
    
      language: window.navigator.language || window.navigator.userLanguage,
    
    distractionFreeMode: 'true'
  });
  gitalk.render('gitalk-container');
</script>

  


  




  

  

  

  

  

  
  <script>
    (function(){
      var bp = document.createElement('script');
      var curProtocol = window.location.protocol.split(':')[0];
      bp.src = (curProtocol === 'https') ? 'https://zz.bdstatic.com/linksubmit/push.js' : 'http://push.zhanzhang.baidu.com/push.js';
      var s = document.getElementsByTagName("script")[0];
      s.parentNode.insertBefore(bp, s);
    })();
  </script>


  

  

  

  

  

  

  

  

</body>
</html>
<!-- 页面点击小红心 -->
	<script type="text/javascript" src="js/schemes/clicklove.js"></script>